A DOM-based Cross-Site Scripting flaw exists in Adobe Experience Manager that allows an attacker to manipulate the Document Object Model and inject malicious JavaScript into a victim's browser. Because the vulnerability is triggered by crafted URLs or web content, execution requires user interaction; the attacker must prompt a victim to visit a malicious page. Once invoked, the script runs with the same privileges as the victim, enabling actions like data theft, session hijacking, or defacement. The flaw is identified as CWE-79 and is mitigated in newer releases.

Adobe Experience Manager versions 6.5.24, the LTS SP1 release, and the 2026.04 build are affected. Any installation of these releases that serves user-generated or external content remains vulnerable. Users of these versions should verify their current patch level and consider upgrading to a release that addresses the issue.

The CVSS score of 5.4 indicates a moderate severity, while the EPSS score is not available and the issue is currently not listed in the CISA KEV catalog. Exploitation requires user interaction, so the likelihood of widespread attacks is lower than for an exploitation that does not need a victim to click a link. However, once a victim visits a crafted page, the attacker can execute code with the victim's privileges, posing a significant risk to confidentiality and integrity within the affected context.